Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e0a6a21a
Commit
e0a6a21a
authored
Mar 31, 2021
by
GitLab Release Tools Bot
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'dev/master'
parents
825cde32
cb4bd170
Changes
30
Hide whitespace changes
Inline
Side-by-side
Showing
30 changed files
with
382 additions
and
50 deletions
+382
-50
CHANGELOG-EE.md
CHANGELOG-EE.md
+21
-0
CHANGELOG.md
CHANGELOG.md
+65
-0
app/models/merge_request.rb
app/models/merge_request.rb
+2
-2
app/models/project.rb
app/models/project.rb
+1
-1
app/services/projects/unlink_fork_service.rb
app/services/projects/unlink_fork_service.rb
+2
-0
app/views/shared/issuable/_sidebar.html.haml
app/views/shared/issuable/_sidebar.html.haml
+1
-1
changelogs/unreleased/mimemagic_shim.yml
changelogs/unreleased/mimemagic_shim.yml
+0
-5
changelogs/unreleased/remove-direct-mimemagic-dependency-minimal.yml
...unreleased/remove-direct-mimemagic-dependency-minimal.yml
+0
-5
changelogs/unreleased/remove-direct-mimemagic-dependency.yml
changelogs/unreleased/remove-direct-mimemagic-dependency.yml
+0
-5
changelogs/unreleased/remove_hipchat_gem.yml
changelogs/unreleased/remove_hipchat_gem.yml
+0
-5
config/initializers/asciidoctor_patch.rb
config/initializers/asciidoctor_patch.rb
+20
-0
doc/api/system_hooks.md
doc/api/system_hooks.md
+2
-2
ee/app/policies/ee/issuable_policy.rb
ee/app/policies/ee/issuable_policy.rb
+13
-0
ee/changelogs/security-360-prevent-any-users-from-deleting-metrics-issue-images.yml
...-prevent-any-users-from-deleting-metrics-issue-images.yml
+5
-0
ee/lib/ee/api/issues.rb
ee/lib/ee/api/issues.rb
+3
-6
ee/lib/ee/banzai/filter/label_reference_filter.rb
ee/lib/ee/banzai/filter/label_reference_filter.rb
+8
-2
ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
+8
-3
ee/spec/policies/issuable_policy_spec.rb
ee/spec/policies/issuable_policy_spec.rb
+66
-0
ee/spec/requests/api/issues_spec.rb
ee/spec/requests/api/issues_spec.rb
+12
-3
lib/api/system_hooks.rb
lib/api/system_hooks.rb
+1
-1
lib/gitlab/markdown_cache.rb
lib/gitlab/markdown_cache.rb
+1
-1
lib/gitlab/user_access.rb
lib/gitlab/user_access.rb
+6
-1
spec/factories/pool_repositories.rb
spec/factories/pool_repositories.rb
+1
-1
spec/features/merge_request/user_views_open_merge_request_spec.rb
...tures/merge_request/user_views_open_merge_request_spec.rb
+17
-0
spec/lib/gitlab/asciidoc_spec.rb
spec/lib/gitlab/asciidoc_spec.rb
+43
-0
spec/lib/gitlab/user_access_spec.rb
spec/lib/gitlab/user_access_spec.rb
+9
-0
spec/models/project_spec.rb
spec/models/project_spec.rb
+58
-0
spec/requests/api/system_hooks_spec.rb
spec/requests/api/system_hooks_spec.rb
+5
-5
spec/services/projects/fork_service_spec.rb
spec/services/projects/fork_service_spec.rb
+1
-1
spec/services/projects/unlink_fork_service_spec.rb
spec/services/projects/unlink_fork_service_spec.rb
+11
-0
No files found.
CHANGELOG-EE.md
View file @
e0a6a21a
Please view this file on the master branch, on stable branches it's out of date.
Please view this file on the master branch, on stable branches it's out of date.
## 13.10.1 (2021-03-31)
### Security (1 change)
-
Escape HTML on scoped labels tooltip.
## 13.10.0 (2021-03-22)
## 13.10.0 (2021-03-22)
### Removed (1 change)
### Removed (1 change)
...
@@ -167,6 +174,13 @@ Please view this file on the master branch, on stable branches it's out of date.
...
@@ -167,6 +174,13 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Delete redirect files. !56169
-
Delete redirect files. !56169
## 13.9.5 (2021-03-31)
### Security (1 change)
-
Escape HTML on scoped labels tooltip.
## 13.9.4 (2021-03-17)
## 13.9.4 (2021-03-17)
-
No changes.
-
No changes.
...
@@ -337,6 +351,13 @@ Please view this file on the master branch, on stable branches it's out of date.
...
@@ -337,6 +351,13 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Review UI text - repo push rules settings. !52797
-
Review UI text - repo push rules settings. !52797
## 13.8.7 (2021-03-31)
### Security (1 change)
-
Escape HTML on scoped labels tooltip.
## 13.8.6 (2021-03-17)
## 13.8.6 (2021-03-17)
-
No changes.
-
No changes.
...
...
CHANGELOG.md
View file @
e0a6a21a
...
@@ -2,6 +2,28 @@
...
@@ -2,6 +2,28 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
entry.
## 13.10.1 (2021-03-31)
### Security (6 changes)
-
Leave pool repository on fork unlinking.
-
Fixed XSS in merge requests sidebar.
-
Fix arbitrary read/write in AsciiDoctor and Kroki gems.
-
Prevent infinite loop when checking if collaboration is allowed.
-
Disable arbitrary URI and file reads in JSON validator.
-
Require POST request to trigger system hooks.
### Removed (1 change)
-
Make HipChat project service do nothing. !57434
### Other (3 changes)
-
Remove direct mimemagic dependency. !57387
-
Refactor MimeMagic calls to new MimeType class. !57421
-
Switch to using a fake mimemagic gem. !57443
## 13.10.0 (2021-03-22)
## 13.10.0 (2021-03-22)
### Security (3 changes)
### Security (3 changes)
...
@@ -529,6 +551,28 @@ entry.
...
@@ -529,6 +551,28 @@ entry.
-
Convert mattermost alert to pajamas. !56556
-
Convert mattermost alert to pajamas. !56556
## 13.9.5 (2021-03-31)
### Security (6 changes)
-
Leave pool repository on fork unlinking.
-
Fixed XSS in merge requests sidebar.
-
Fix arbitrary read/write in AsciiDoctor and Kroki gems.
-
Prevent infinite loop when checking if collaboration is allowed.
-
Disable arbitrary URI and file reads in JSON validator.
-
Require POST request to trigger system hooks.
### Removed (1 change)
-
Make HipChat project service do nothing. !57434
### Other (3 changes)
-
Remove direct mimemagic dependency. !57387
-
Refactor MimeMagic calls to new MimeType class. !57421
-
Switch to using a fake mimemagic gem. !57443
## 13.9.4 (2021-03-17)
## 13.9.4 (2021-03-17)
### Security (1 change)
### Security (1 change)
...
@@ -1144,6 +1188,27 @@ entry.
...
@@ -1144,6 +1188,27 @@ entry.
-
Apply new GitLab UI for buttons in pipeline schedules.
-
Apply new GitLab UI for buttons in pipeline schedules.
## 13.8.7 (2021-03-31)
### Security (5 changes)
-
Fixed XSS in merge requests sidebar.
-
Leave pool repository on fork unlinking.
-
Fix arbitrary read/write in AsciiDoctor and Kroki gems.
-
Prevent infinite loop when checking if collaboration is allowed.
-
Require POST request to trigger system hooks.
### Removed (1 change)
-
Make HipChat project service do nothing. !57434
### Other (3 changes)
-
Remove direct mimemagic dependency. !57387
-
Refactor MimeMagic calls to new MimeType class. !57421
-
Switch to using a fake mimemagic gem. !57443
## 13.8.6 (2021-03-17)
## 13.8.6 (2021-03-17)
### Security (1 change)
### Security (1 change)
...
...
app/models/merge_request.rb
View file @
e0a6a21a
...
@@ -1350,8 +1350,8 @@ class MergeRequest < ApplicationRecord
...
@@ -1350,8 +1350,8 @@ class MergeRequest < ApplicationRecord
has_no_commits?
||
branch_missing?
||
cannot_be_merged?
has_no_commits?
||
branch_missing?
||
cannot_be_merged?
end
end
def
can_be_merged_by?
(
user
)
def
can_be_merged_by?
(
user
,
skip_collaboration_check:
false
)
access
=
::
Gitlab
::
UserAccess
.
new
(
user
,
container:
project
)
access
=
::
Gitlab
::
UserAccess
.
new
(
user
,
container:
project
,
skip_collaboration_check:
skip_collaboration_check
)
access
.
can_update_branch?
(
target_branch
)
access
.
can_update_branch?
(
target_branch
)
end
end
...
...
app/models/project.rb
View file @
e0a6a21a
...
@@ -2711,7 +2711,7 @@ class Project < ApplicationRecord
...
@@ -2711,7 +2711,7 @@ class Project < ApplicationRecord
# Issue for N+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/49322
# Issue for N+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/49322
Gitlab
::
GitalyClient
.
allow_n_plus_1_calls
do
Gitlab
::
GitalyClient
.
allow_n_plus_1_calls
do
merge_requests_allowing_collaboration
(
branch_name
).
any?
do
|
merge_request
|
merge_requests_allowing_collaboration
(
branch_name
).
any?
do
|
merge_request
|
merge_request
.
can_be_merged_by?
(
user
)
merge_request
.
can_be_merged_by?
(
user
,
skip_collaboration_check:
true
)
end
end
end
end
end
end
...
...
app/services/projects/unlink_fork_service.rb
View file @
e0a6a21a
...
@@ -32,6 +32,8 @@ module Projects
...
@@ -32,6 +32,8 @@ module Projects
if
fork_network
=
@project
.
root_of_fork_network
if
fork_network
=
@project
.
root_of_fork_network
fork_network
.
update
(
root_project:
nil
,
deleted_root_project_name:
@project
.
full_name
)
fork_network
.
update
(
root_project:
nil
,
deleted_root_project_name:
@project
.
full_name
)
end
end
@project
.
leave_pool_repository
end
end
# rubocop: disable Cop/InBatches
# rubocop: disable Cop/InBatches
...
...
app/views/shared/issuable/_sidebar.html.haml
View file @
e0a6a21a
...
@@ -138,7 +138,7 @@
...
@@ -138,7 +138,7 @@
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
.gl-display-flex.gl-align-items-center.gl-justify-content-space-between.gl-mb-2.hide-collapsed
.gl-display-flex.gl-align-items-center.gl-justify-content-space-between.gl-mb-2.hide-collapsed
%span
.gl-overflow-hidden.gl-text-overflow-ellipsis.gl-white-space-nowrap
%span
.gl-overflow-hidden.gl-text-overflow-ellipsis.gl-white-space-nowrap
=
_
(
'Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}'
).
html_safe
%
{
source_branch_open:
"<span class='gl-font-monospace'
title='
#{
source_branch
}
'>"
.
html_safe
,
source_branch_close:
"</span>"
.
html_safe
,
source_branch:
source_branch
}
=
_
(
'Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}'
).
html_safe
%
{
source_branch_open:
"<span class='gl-font-monospace'
data-testid='ref-name' title='
#{
html_escape
(
source_branch
)
}
'>"
.
html_safe
,
source_branch_close:
"</span>"
.
html_safe
,
source_branch:
html_escape
(
source_branch
)
}
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
-
if
show_forwarding_email
-
if
show_forwarding_email
...
...
changelogs/unreleased/mimemagic_shim.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Switch to using a fake mimemagic gem
merge_request
:
57443
author
:
type
:
other
changelogs/unreleased/remove-direct-mimemagic-dependency-minimal.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Refactor MimeMagic calls to new MimeType class
merge_request
:
57421
author
:
type
:
other
changelogs/unreleased/remove-direct-mimemagic-dependency.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Remove direct mimemagic dependency
merge_request
:
57387
author
:
type
:
other
changelogs/unreleased/remove_hipchat_gem.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Make HipChat project service do nothing
merge_request
:
57434
author
:
type
:
removed
config/initializers/asciidoctor_patch.rb
0 → 100644
View file @
e0a6a21a
# frozen_string_literal: true
# Ensure that locked attributes can not be changed using a counter.
# TODO: this can be removed once `asciidoctor` gem is > 2.0.12
# and https://github.com/asciidoctor/asciidoctor/issues/3939 is merged
module
Asciidoctor
module
DocumentPatch
def
counter
(
name
,
seed
=
nil
)
return
@parent_document
.
counter
(
name
,
seed
)
if
@parent_document
# rubocop: disable Gitlab/ModuleWithInstanceVariables
unless
attribute_locked?
name
super
end
end
end
end
class
Asciidoctor::Document
prepend
Asciidoctor
::
DocumentPatch
end
doc/api/system_hooks.md
View file @
e0a6a21a
...
@@ -88,7 +88,7 @@ Example response:
...
@@ -88,7 +88,7 @@ Example response:
## Test system hook
## Test system hook
```
plaintext
```
plaintext
GE
T /hooks/:id
POS
T /hooks/:id
```
```
| Attribute | Type | Required | Description |
| Attribute | Type | Required | Description |
...
@@ -98,7 +98,7 @@ GET /hooks/:id
...
@@ -98,7 +98,7 @@ GET /hooks/:id
Example request:
Example request:
```
shell
```
shell
curl
--
header
"PRIVATE-TOKEN: <your_access_token>"
"https://gitlab.example.com/api/v4/hooks/2
"
curl
--
request
POST
--header
"PRIVATE-TOKEN: <your_access_token>"
"https://gitlab.example.com/api/v4/hooks/1
"
```
```
Example response:
Example response:
...
...
ee/app/policies/ee/issuable_policy.rb
View file @
e0a6a21a
...
@@ -5,6 +5,10 @@ module EE
...
@@ -5,6 +5,10 @@ module EE
extend
ActiveSupport
::
Concern
extend
ActiveSupport
::
Concern
prepended
do
prepended
do
condition
(
:is_author
)
do
@user
&&
@subject
.
author_id
==
@user
.
id
end
rule
{
can?
(
:read_issue
)
}.
policy
do
rule
{
can?
(
:read_issue
)
}.
policy
do
enable
:read_issuable_metric_image
enable
:read_issuable_metric_image
end
end
...
@@ -12,6 +16,15 @@ module EE
...
@@ -12,6 +16,15 @@ module EE
rule
{
can?
(
:create_issue
)
&
can?
(
:update_issue
)
}.
policy
do
rule
{
can?
(
:create_issue
)
&
can?
(
:update_issue
)
}.
policy
do
enable
:upload_issuable_metric_image
enable
:upload_issuable_metric_image
end
end
rule
{
is_author
|
can?
(
:create_issue
)
&
can?
(
:update_issue
)
}.
policy
do
enable
:destroy_issuable_metric_image
end
rule
{
~
is_project_member
}.
policy
do
prevent
:upload_issuable_metric_image
prevent
:destroy_issuable_metric_image
end
end
end
end
end
end
end
ee/changelogs/security-360-prevent-any-users-from-deleting-metrics-issue-images.yml
0 → 100644
View file @
e0a6a21a
---
title
:
Fix permissions for modifying issue metric images
merge_request
:
author
:
type
:
security
ee/lib/ee/api/issues.rb
View file @
e0a6a21a
...
@@ -79,6 +79,9 @@ module EE
...
@@ -79,6 +79,9 @@ module EE
end
end
delete
':metric_image_id'
do
delete
':metric_image_id'
do
issue
=
find_project_issue
(
params
[
:issue_iid
])
issue
=
find_project_issue
(
params
[
:issue_iid
])
authorize!
(
:destroy_issuable_metric_image
,
issue
)
metric_image
=
issue
.
metric_images
.
find_by_id
(
params
[
:metric_image_id
])
metric_image
=
issue
.
metric_images
.
find_by_id
(
params
[
:metric_image_id
])
render_api_error!
(
'Metric image not found'
,
404
)
unless
metric_image
render_api_error!
(
'Metric image not found'
,
404
)
unless
metric_image
...
@@ -93,12 +96,6 @@ module EE
...
@@ -93,12 +96,6 @@ module EE
end
end
helpers
do
helpers
do
include
::
API
::
Helpers
::
Packages
::
BasicAuthHelpers
def
project
authorized_user_project
end
def
max_file_size_exceeded?
def
max_file_size_exceeded?
params
[
:file
].
size
>
::
IssuableMetricImage
::
MAX_FILE_SIZE
params
[
:file
].
size
>
::
IssuableMetricImage
::
MAX_FILE_SIZE
end
end
...
...
ee/lib/ee/banzai/filter/label_reference_filter.rb
View file @
e0a6a21a
...
@@ -10,12 +10,18 @@ module EE
...
@@ -10,12 +10,18 @@ module EE
def
data_attributes_for
(
text
,
parent
,
object
,
link_content:
false
,
link_reference:
false
)
def
data_attributes_for
(
text
,
parent
,
object
,
link_content:
false
,
link_reference:
false
)
return
super
unless
object
.
scoped_label?
return
super
unless
object
.
scoped_label?
# Enabling HTML tooltips for scoped labels here but we do not need to do any additional
# Enabling HTML tooltips for scoped labels here and additional escaping is done in `object_link_title`
# escaping because the label's tooltips are already stripped of dangerous HTML
super
.
merge!
(
super
.
merge!
(
html:
true
html:
true
)
)
end
end
override
:object_link_title
def
object_link_title
(
object
,
matches
)
return
super
unless
object
.
scoped_label?
ERB
::
Util
.
html_escape
(
super
)
end
end
end
end
end
end
end
...
...
ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
View file @
e0a6a21a
...
@@ -5,9 +5,10 @@ require 'spec_helper'
...
@@ -5,9 +5,10 @@ require 'spec_helper'
RSpec
.
describe
Banzai
::
Filter
::
LabelReferenceFilter
do
RSpec
.
describe
Banzai
::
Filter
::
LabelReferenceFilter
do
include
FilterSpecHelper
include
FilterSpecHelper
let
(
:project
)
{
create
(
:project
,
:public
,
name:
'sample-project'
)
}
let
(
:project
)
{
create
(
:project
,
:public
,
name:
'sample-project'
)
}
let
(
:label
)
{
create
(
:label
,
name:
'label'
,
project:
project
)
}
let
(
:label
)
{
create
(
:label
,
name:
'label'
,
project:
project
)
}
let
(
:scoped_label
)
{
create
(
:label
,
name:
'key::value'
,
project:
project
)
}
let
(
:scoped_description
)
{
'xss <script>alert("scriptAlert");</script> &<a>lt;svg id="svgId"></svg>'
}
let
(
:scoped_label
)
{
create
(
:label
,
name:
'key::value'
,
project:
project
,
description:
scoped_description
)
}
context
'with scoped labels enabled'
do
context
'with scoped labels enabled'
do
before
do
before
do
...
@@ -24,6 +25,10 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do
...
@@ -24,6 +25,10 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do
it
'renders HTML tooltips'
do
it
'renders HTML tooltips'
do
expect
(
doc
.
at_css
(
'.gl-label-scoped a'
).
attr
(
'data-html'
)).
to
eq
(
'true'
)
expect
(
doc
.
at_css
(
'.gl-label-scoped a'
).
attr
(
'data-html'
)).
to
eq
(
'true'
)
end
end
it
"escapes HTML in the label's title"
do
expect
(
doc
.
at_css
(
'.gl-label-scoped a'
).
attr
(
'title'
)).
to
include
(
'xss <svg id="svgId">'
)
end
end
end
context
'with a common label'
do
context
'with a common label'
do
...
...
ee/spec/policies/issuable_policy_spec.rb
0 → 100644
View file @
e0a6a21a
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
IssuablePolicy
,
models:
true
do
let
(
:non_member
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
let
(
:reporter
)
{
create
(
:user
)
}
let
(
:guest_issue
)
{
create
(
:issue
,
project:
project
,
author:
guest
)
}
let
(
:reporter_issue
)
{
create
(
:issue
,
project:
project
,
author:
reporter
)
}
before
do
project
.
add_guest
(
guest
)
project
.
add_reporter
(
reporter
)
end
def
permissions
(
user
,
issue
)
described_class
.
new
(
user
,
issue
)
end
describe
'#rules'
do
context
'in a public project'
do
let_it_be
(
:project
)
{
create
(
:project
,
:public
)
}
let_it_be
(
:issue
)
{
create
(
:issue
,
project:
project
)
}
it
'disallows non-members from creating and deleting metric images'
do
expect
(
permissions
(
non_member
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
)
expect
(
permissions
(
non_member
,
issue
)).
to
be_disallowed
(
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows guests to read, create metric images, and delete them in their own issues'
do
expect
(
permissions
(
guest
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
)
expect
(
permissions
(
guest
,
issue
)).
to
be_disallowed
(
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
guest
,
guest_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows reporters to create and delete metric images'
do
expect
(
permissions
(
reporter
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
reporter
,
reporter_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
end
context
'in a private project'
do
let_it_be
(
:project
)
{
create
(
:project
,
:private
)
}
let_it_be
(
:issue
)
{
create
(
:issue
,
project:
project
)
}
it
'disallows non-members from creating and deleting metric images'
do
expect
(
permissions
(
non_member
,
issue
)).
to
be_disallowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows guests to read metric images, and create + delete in their own issues'
do
expect
(
permissions
(
guest
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
)
expect
(
permissions
(
guest
,
issue
)).
to
be_disallowed
(
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
guest
,
guest_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows reporters to create and delete metric images'
do
expect
(
permissions
(
reporter
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
reporter
,
reporter_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
end
end
end
ee/spec/requests/api/issues_spec.rb
View file @
e0a6a21a
...
@@ -705,7 +705,7 @@ RSpec.describe API::Issues, :mailer do
...
@@ -705,7 +705,7 @@ RSpec.describe API::Issues, :mailer do
using
RSpec
::
Parameterized
::
TableSyntax
using
RSpec
::
Parameterized
::
TableSyntax
let_it_be
(
:project
)
do
let_it_be
(
:project
)
do
create
(
:project
,
:p
rivate
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
create
(
:project
,
:p
ublic
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
end
end
let!
(
:image
)
{
create
(
:issuable_metric_image
,
issue:
issue
)
}
let!
(
:image
)
{
create
(
:issuable_metric_image
,
issue:
issue
)
}
...
@@ -722,6 +722,15 @@ RSpec.describe API::Issues, :mailer do
...
@@ -722,6 +722,15 @@ RSpec.describe API::Issues, :mailer do
end
end
shared_examples
'unauthorized_delete'
do
shared_examples
'unauthorized_delete'
do
it
'cannot delete the metric image'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
expect
(
image
.
reload
).
to
eq
(
image
)
end
end
shared_examples
'not_found'
do
it
'cannot delete the metric image'
do
it
'cannot delete the metric image'
do
subject
subject
...
@@ -734,9 +743,9 @@ RSpec.describe API::Issues, :mailer do
...
@@ -734,9 +743,9 @@ RSpec.describe API::Issues, :mailer do
:not_member
|
false
|
false
|
:unauthorized_delete
:not_member
|
false
|
false
|
:unauthorized_delete
:not_member
|
true
|
false
|
:unauthorized_delete
:not_member
|
true
|
false
|
:unauthorized_delete
:not_member
|
true
|
true
|
:unauthorized_delete
:not_member
|
true
|
true
|
:unauthorized_delete
:guest
|
false
|
true
|
:unauthorized_delete
:guest
|
false
|
true
|
:not_found
:guest
|
false
|
false
|
:unauthorized_delete
:guest
|
true
|
false
|
:can_delete_metric_image
:guest
|
true
|
false
|
:can_delete_metric_image
:guest
|
false
|
false
|
:can_delete_metric_image
:reporter
|
true
|
false
|
:can_delete_metric_image
:reporter
|
true
|
false
|
:can_delete_metric_image
:reporter
|
false
|
false
|
:can_delete_metric_image
:reporter
|
false
|
false
|
:can_delete_metric_image
end
end
...
...
lib/api/system_hooks.rb
View file @
e0a6a21a
...
@@ -47,7 +47,7 @@ module API
...
@@ -47,7 +47,7 @@ module API
params
do
params
do
requires
:id
,
type:
Integer
,
desc:
'The ID of the system hook'
requires
:id
,
type:
Integer
,
desc:
'The ID of the system hook'
end
end
ge
t
":id"
do
pos
t
":id"
do
hook
=
SystemHook
.
find
(
params
[
:id
])
hook
=
SystemHook
.
find
(
params
[
:id
])
data
=
{
data
=
{
event_name:
"project_create"
,
event_name:
"project_create"
,
...
...
lib/gitlab/markdown_cache.rb
View file @
e0a6a21a
...
@@ -3,7 +3,7 @@
...
@@ -3,7 +3,7 @@
module
Gitlab
module
Gitlab
module
MarkdownCache
module
MarkdownCache
# Increment this number every time the renderer changes its output
# Increment this number every time the renderer changes its output
CACHE_COMMONMARK_VERSION
=
2
6
CACHE_COMMONMARK_VERSION
=
2
7
CACHE_COMMONMARK_VERSION_START
=
10
CACHE_COMMONMARK_VERSION_START
=
10
BaseError
=
Class
.
new
(
StandardError
)
BaseError
=
Class
.
new
(
StandardError
)
...
...
lib/gitlab/user_access.rb
View file @
e0a6a21a
...
@@ -11,10 +11,11 @@ module Gitlab
...
@@ -11,10 +11,11 @@ module Gitlab
attr_reader
:user
,
:push_ability
attr_reader
:user
,
:push_ability
attr_accessor
:container
attr_accessor
:container
def
initialize
(
user
,
container:
nil
,
push_ability: :push_code
)
def
initialize
(
user
,
container:
nil
,
push_ability: :push_code
,
skip_collaboration_check:
false
)
@user
=
user
@user
=
user
@container
=
container
@container
=
container
@push_ability
=
push_ability
@push_ability
=
push_ability
@skip_collaboration_check
=
skip_collaboration_check
end
end
def
can_do_action?
(
action
)
def
can_do_action?
(
action
)
...
@@ -87,6 +88,8 @@ module Gitlab
...
@@ -87,6 +88,8 @@ module Gitlab
private
private
attr_reader
:skip_collaboration_check
def
can_push?
def
can_push?
user
.
can?
(
push_ability
,
container
)
user
.
can?
(
push_ability
,
container
)
end
end
...
@@ -98,6 +101,8 @@ module Gitlab
...
@@ -98,6 +101,8 @@ module Gitlab
end
end
def
branch_allows_collaboration_for?
(
ref
)
def
branch_allows_collaboration_for?
(
ref
)
return
false
if
skip_collaboration_check
# Checking for an internal project or group to prevent an infinite loop:
# Checking for an internal project or group to prevent an infinite loop:
# https://gitlab.com/gitlab-org/gitlab/issues/36805
# https://gitlab.com/gitlab-org/gitlab/issues/36805
(
!
project
.
internal?
&&
project
.
branch_allows_collaboration?
(
user
,
ref
))
(
!
project
.
internal?
&&
project
.
branch_allows_collaboration?
(
user
,
ref
))
...
...
spec/factories/pool_repositories.rb
View file @
e0a6a21a
...
@@ -6,7 +6,7 @@ FactoryBot.define do
...
@@ -6,7 +6,7 @@ FactoryBot.define do
state
{
:none
}
state
{
:none
}
before
(
:create
)
do
|
pool
|
before
(
:create
)
do
|
pool
|
pool
.
source_project
=
create
(
:project
,
:repository
)
pool
.
source_project
||
=
create
(
:project
,
:repository
)
pool
.
source_project
.
update!
(
pool_repository:
pool
)
pool
.
source_project
.
update!
(
pool_repository:
pool
)
end
end
...
...
spec/features/merge_request/user_views_open_merge_request_spec.rb
View file @
e0a6a21a
...
@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do
...
@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do
end
end
end
end
end
end
context
'XSS source branch'
do
let
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
let
(
:source_branch
)
{
"'><iframe/srcdoc=''></iframe>"
}
before
do
project
.
repository
.
create_branch
(
source_branch
,
"master"
)
mr
=
create
(
:merge_request
,
source_project:
project
,
target_project:
project
,
source_branch:
source_branch
)
visit
(
merge_request_path
(
mr
))
end
it
'encodes branch name'
do
expect
(
find
(
"[data-testid='ref-name']"
)[
:title
]).
to
eq
(
source_branch
)
end
end
end
end
spec/lib/gitlab/asciidoc_spec.rb
View file @
e0a6a21a
...
@@ -92,6 +92,15 @@ module Gitlab
...
@@ -92,6 +92,15 @@ module Gitlab
expect
(
render
(
data
[
:input
],
context
)).
to
include
(
data
[
:output
])
expect
(
render
(
data
[
:input
],
context
)).
to
include
(
data
[
:output
])
end
end
end
end
it
'does not allow locked attributes to be overridden'
do
input
=
<<~
ADOC
{counter:max-include-depth:1234}
<|-- {max-include-depth}
ADOC
expect
(
render
(
input
,
{})).
not_to
include
(
'1234'
)
end
end
end
context
"images"
do
context
"images"
do
...
@@ -543,6 +552,40 @@ module Gitlab
...
@@ -543,6 +552,40 @@ module Gitlab
expect
(
render
(
input
,
context
)).
to
include
(
output
.
strip
)
expect
(
render
(
input
,
context
)).
to
include
(
output
.
strip
)
end
end
it
'does not allow kroki-plantuml-include to be overridden'
do
input
=
<<~
ADOC
[plantuml, test="{counter:kroki-plantuml-include:/etc/passwd}", format="png"]
....
class BlockProcessor
BlockProcessor <|-- {counter:kroki-plantuml-include}
....
ADOC
output
=
<<~
HTML
<div>
<div>
<a class=
\"
no-attachment-icon
\"
href=
\"
https://kroki.io/plantuml/png/eNpLzkksLlZwyslPzg4oyk9OLS7OL-LiQuUr2NTo6ipUJ-eX5pWkFlllF-VnZ-oW5CTmlZTm5uhm5iXnlKak1gIABQEb8A==
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer
\"
><img src=
\"
data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==
\"
alt=
\"
Diagram
\"
class=
\"
lazy
\"
data-src=
\"
https://kroki.io/plantuml/png/eNpLzkksLlZwyslPzg4oyk9OLS7OL-LiQuUr2NTo6ipUJ-eX5pWkFlllF-VnZ-oW5CTmlZTm5uhm5iXnlKak1gIABQEb8A==
\"
></a>
</div>
</div>
HTML
expect
(
render
(
input
,
{})).
to
include
(
output
.
strip
)
end
it
'does not allow kroki-server-url to be overridden'
do
input
=
<<~
ADOC
[plantuml, test="{counter:kroki-server-url:evilsite}", format="png"]
....
class BlockProcessor
BlockProcessor
....
ADOC
expect
(
render
(
input
,
{})).
not_to
include
(
'evilsite'
)
end
end
end
context
'with Kroki and BlockDiag (additional format) enabled'
do
context
'with Kroki and BlockDiag (additional format) enabled'
do
...
...
spec/lib/gitlab/user_access_spec.rb
View file @
e0a6a21a
...
@@ -216,6 +216,15 @@ RSpec.describe Gitlab::UserAccess do
...
@@ -216,6 +216,15 @@ RSpec.describe Gitlab::UserAccess do
expect
(
access
.
can_merge_to_branch?
(
@branch
.
name
)).
to
be_falsey
expect
(
access
.
can_merge_to_branch?
(
@branch
.
name
)).
to
be_falsey
end
end
end
end
context
'when skip_collaboration_check is true'
do
let
(
:access
)
{
described_class
.
new
(
user
,
container:
project
,
skip_collaboration_check:
true
)
}
it
'does not call Project#branch_allows_collaboration?'
do
expect
(
project
).
not_to
receive
(
:branch_allows_collaboration?
)
expect
(
access
.
can_push_to_branch?
(
'master'
)).
to
be_falsey
end
end
end
end
describe
'#can_create_tag?'
do
describe
'#can_create_tag?'
do
...
...
spec/models/project_spec.rb
View file @
e0a6a21a
...
@@ -5319,6 +5319,64 @@ RSpec.describe Project, factory_default: :keep do
...
@@ -5319,6 +5319,64 @@ RSpec.describe Project, factory_default: :keep do
end
end
end
end
describe
'#branch_allows_collaboration?'
do
context
'when there are open merge requests that have their source/target branches point to each other'
do
let_it_be
(
:project
)
{
create
(
:project
,
:repository
)
}
let_it_be
(
:developer
)
{
create
(
:user
)
}
let_it_be
(
:reporter
)
{
create
(
:user
)
}
let_it_be
(
:guest
)
{
create
(
:user
)
}
before_all
do
create
(
:merge_request
,
target_project:
project
,
target_branch:
'master'
,
source_project:
project
,
source_branch:
'merge-test'
,
allow_collaboration:
true
)
create
(
:merge_request
,
target_project:
project
,
target_branch:
'merge-test'
,
source_project:
project
,
source_branch:
'master'
,
allow_collaboration:
true
)
project
.
add_developer
(
developer
)
project
.
add_reporter
(
reporter
)
project
.
add_guest
(
guest
)
end
shared_examples_for
'successful check'
do
it
'does not go into an infinite loop'
do
expect
{
project
.
branch_allows_collaboration?
(
user
,
'master'
)
}
.
not_to
raise_error
end
end
context
'when user is a developer'
do
let
(
:user
)
{
developer
}
it_behaves_like
'successful check'
end
context
'when user is a reporter'
do
let
(
:user
)
{
reporter
}
it_behaves_like
'successful check'
end
context
'when user is a guest'
do
let
(
:user
)
{
guest
}
it_behaves_like
'successful check'
end
end
end
context
'with cross project merge requests'
do
context
'with cross project merge requests'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:target_project
)
{
create
(
:project
,
:repository
)
}
let
(
:target_project
)
{
create
(
:project
,
:repository
)
}
...
...
spec/requests/api/system_hooks_spec.rb
View file @
e0a6a21a
...
@@ -103,15 +103,15 @@ RSpec.describe API::SystemHooks do
...
@@ -103,15 +103,15 @@ RSpec.describe API::SystemHooks do
end
end
end
end
describe
"GET /hooks/:id"
do
describe
'POST /hooks/:id'
do
it
"returns hook by id"
do
it
"returns
and trigger
hook by id"
do
ge
t
api
(
"/hooks/
#{
hook
.
id
}
"
,
admin
)
pos
t
api
(
"/hooks/
#{
hook
.
id
}
"
,
admin
)
expect
(
response
).
to
have_gitlab_http_status
(
:
ok
)
expect
(
response
).
to
have_gitlab_http_status
(
:
created
)
expect
(
json_response
[
'event_name'
]).
to
eq
(
'project_create'
)
expect
(
json_response
[
'event_name'
]).
to
eq
(
'project_create'
)
end
end
it
"returns 404 on failure"
do
it
"returns 404 on failure"
do
ge
t
api
(
"/hooks/404"
,
admin
)
pos
t
api
(
"/hooks/404"
,
admin
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
end
end
...
...
spec/services/projects/fork_service_spec.rb
View file @
e0a6a21a
...
@@ -403,7 +403,7 @@ RSpec.describe Projects::ForkService do
...
@@ -403,7 +403,7 @@ RSpec.describe Projects::ForkService do
end
end
context
'when forking with object pools'
do
context
'when forking with object pools'
do
let
(
:fork_from_project
)
{
create
(
:project
,
:public
)
}
let
(
:fork_from_project
)
{
create
(
:project
,
:
repository
,
:
public
)
}
let
(
:forker
)
{
create
(
:user
)
}
let
(
:forker
)
{
create
(
:user
)
}
context
'when no pool exists'
do
context
'when no pool exists'
do
...
...
spec/services/projects/unlink_fork_service_spec.rb
View file @
e0a6a21a
...
@@ -207,6 +207,17 @@ RSpec.describe Projects::UnlinkForkService, :use_clean_rails_memory_store_cachin
...
@@ -207,6 +207,17 @@ RSpec.describe Projects::UnlinkForkService, :use_clean_rails_memory_store_cachin
end
end
end
end
context
'a project with pool repository'
do
let
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
let!
(
:pool_repository
)
{
create
(
:pool_repository
,
:ready
,
source_project:
project
)
}
subject
{
described_class
.
new
(
project
,
user
)
}
it
'when unlinked leaves pool repository'
do
expect
{
subject
.
execute
}.
to
change
{
project
.
reload
.
has_pool_repository?
}.
from
(
true
).
to
(
false
)
end
end
context
'when given project is not part of a fork network'
do
context
'when given project is not part of a fork network'
do
let!
(
:project_without_forks
)
{
create
(
:project
,
:public
)
}
let!
(
:project_without_forks
)
{
create
(
:project
,
:public
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment